-
HP Firewalls and UTM Devices Access Control Configuration Guide Part number: 5998-4165 Software version: F1000-A-EI: Feature 3722 F1000-S-EI: Feature 3722 F5000: Feature 3211 F1000-E: Feature 3174 Firewall module: Feature 3174 Enhanced firewall module: ESS 3807 U200-A: ESS 5132 U200-S: ESS 5132 Document version: 6PW100-20121228
-
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
-
Contents Configuring ACLs ························································································································································· 1 Feature and hardware compatibility ·······························································································································1 Overview······························································································································································
-
Enabling the share attribute of a security zone ·································································································· 39 Adding interfaces to a security zone ·················································································································· 39 Creating an interzone instance ···························································································································· 39 Security zone configuration example ············
-
Displaying and maintaining interzone policies ································································································ 100 Interzone policy rule configuration example ···································································································· 100 Interzone policy group configuration example ································································································ 103 Using a wizard to configure a firewall policy ························
-
Configuring portal authentication ·························································································································· 147 Feature and hardware compatibility ·························································································································· 147 Overview······································································································································································· 147 Extended
-
RADIUS attributes ················································································································································ 197 Configuring AAA at the CLI ········································································································································ 200 Configuring local users ······································································································································· 201 Configuring R
-
Documents ···························································································································································· 289 Websites······························································································································································· 289 Conventions ·····························································································································································
-
Configuring ACLs 1B An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. The Web interface does not support configuring IPv6 ACLs.
-
Numbering and naming ACLs 9B Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a number. In addition, you can assign the ACL a name for ease of identification. After creating an ACL with a name, you cannot rename it or delete its name. For an IPv4 basic or advanced ACLs, its ACL number and name must be unique in IPv4, and for an IPv6 basic or advanced ACL, its ACL number and name must be unique in IPv6.
-
A wildcard mask, also called an inverse mask, is a 32-bit binary and represented in dotted decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent "do care" bits, and the 1 bits represent "don't care" bits. If the "do care" bits in an IP address are identical to the "do care" bits in an IP address criterion, the IP address matches the criterion. All "don't care" bits are ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.
-
You can specify a time range in ACL rules before or after you create it. However, the rules using the time range take effect only after you define the time range. Fragments filtering with ACLs 104B Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
-
Complete the following tasks to configure an Ethernet frame header ACL: Task Remarks Required. Create an Ethernet frame header ACL. 1. For more information, see "Creating an ACL". 549H Configuring an Ethernet frame header ACL. 2. Required. 50H Recommended IPv6 basic ACL configuration procedure 108B IPv6 basic ACLs match packets based only on source IP addresses. Complete the following tasks to configure an IPv6 basic ACL: Task Remarks Create an IPv6 basic ACL. 1. Required.
-
Figure 1 ACL list 2. Click Add to enter the ACL configuration page. Figure 2 ACL configuration page 3. Add an ACL as described in Table 2. 4. Click Apply. 5H Table 2 Configuration items Item Description ACL Number Enter a number for the ACL. Select a match order for the ACL. Available values are: Match Order • Config—Sorts ACL rules in ascending order of rule ID. • Auto—Sorts ACL rules in depth-first order. Description Enter a description for the ACL.
-
Figure 3 List of IPv4 basic ACL rules 3. Click Add to enter the IPv4 basic ACL rule configuration page. Figure 4 IPv4 basic ACL rule configuration page 4. Configure a rule as described in Table 3. 5. Click Apply. 56H Table 3 Configuration items Item Description Select the Rule ID box, and enter a number for the rule. Rule ID If you do not specify a rule number, the system automatically assigns one to the rule. If the rule already exists, the configuration overwrites the old rule.
-
Item Description Select this box to log matching packets. Logging A log entry contains the ACL rule number, action on the matching packets, protocol that IP carries, source/destination address, source/destination port number, and number of matching packets. Source IP Address Select the Source IP Address box, and enter a source IP address and source wildcard, in dotted decimal notation. Source Wildcard VPN Instance Select a VPN. If you select None, the rule applies to only non-VPN packets.
-
Figure 6 IPv4 Advanced ACL rule configuration page 4. Configure an IPv4 advanced ACL rule as described in Table 4. 5. Click Apply. 57H Table 4 Configuration items Item Description Select the Rule ID box, and enter a number for the rule. Rule ID If you do not specify the rule number, the system assigns one automatically. If the rule already exists, the configuration overwrites the old rule.
-
Item Description Source IP Address Select the Source IP Address box, and enter a source IP address and source wildcard, in dotted decimal notation. Source Wildcard Destination IP Address Destination Wildcard Select the Destination IP Address box, and enter a destination IP address and destination wildcard, in dotted decimal notation. Specify the VPN. VPN Instance If you select None, the rule applies to only non-VPN packets. Select the protocol to be carried over by IP.
-
Figure 7 List of Ethernet frame header ACL rules 3. Click Add to enter the configuration page for Ethernet frame header ACL rules. Figure 8 Ethernet frame header ACL rule configuration page 4. Configure an Ethernet frame header ACL rule as described in Table 5. 5. Click Apply. 58H Table 5 Configuration items Item Description Select the Rule ID box, and enter a number for the rule. Rule ID If you do not specify the rule number, the system assigns one automatically.
-
Item Description Destination MAC Address Select the Destination MAC Address box, and specify the destination MAC address and wildcard. Destination Wildcard LSAP Type Select the LSAP Type box, and specify the DSAP and SSAP fields in the LLC encapsulation by configuring the following two items: LSAP Wildcard • LSAP Type—Specifies the encapsulation format. • LSAP Wildcard—Specifies the LSAP mask.
-
Table 6 Configuration items Item Description Enter a number for the ACL: ACL Number • 2000-2999 for IPv6 basic ACLs • 3000-3999 for IPv6 advanced ACLs The IPv6 basic ACL or IPv6 advanced ACL number is unique only among IPv6 ACL numbers. Select a match order for the ACL. Available values are: Match Order • Config—Sorts ACL rules in ascending order of rule ID. • Auto—Sorts ACL rules in depth-first order. Description Enter a description for the ACL. Configuring an IPv6 basic ACL rule 15B 1.
-
Item Description Select the operation to be performed for packets matching the rule: Operation • Permit—Allows matching IPv6 packets to pass. • Deny—Denies matching IPv6 packets. Time Range Select a time range for the rule. Select this box to log matching IPv6 packets.
-
4. Configure an IPv6 advanced ACL rule as described in Table 8. 5. Click Apply. 561H Table 8 Configuration items Item Description Select the Rule ID box, and enter a number for the rule. If you do not specify the rule number, the system assigns one automatically. Rule ID If the rule already exists, the configuration overwrites the old rule. Select the action to be performed on packets matching the rule: Operation • Permit—Allows matching packets to pass. • Deny—Denies matching packets.
-
• Allow hosts on other segments to access Firewall using HTTP on only working days. Figure 15 Network diagram Configuring Firewall 264B CAUTION: The three ACL rules must be configured in the shown order. 1. Create a periodic time range of Saturday and Sunday: a. Select Resource > Time Range from the navigation tree. b. Click Add. c. Enter time in the Name field. Select the Periodic Time Range box. Select the Sun. and Sat. boxes. d. Click Apply. Figure 16 Creating a time range 2.
-
Figure 17 Creating an IPv4 basic ACL 3. Create a rule to allow Host A to access Firewall: a. Click the icon for ACL 2000. b. Click Add. c. Select Permit from the Operation list. Select the Source IP Address box and enter 192.168.1.2 and 0.0.0.0 in the following fields. d. Click Apply. Figure 18 Configuring a rule to allow Host A to access Firewall 4. Create a rule to deny access of other hosts to Firewall on Saturday and Sunday: a. On the page displaying the rules of ACL 2000, click Add. b.
-
Figure 19 Configuring an IPv4 basic ACL rule to deny access of other hosts to Firewall on Saturday and Sunday 5. Configure an IPv4 basic ACL rule to allow other hosts to access Firewall: a. On the page displaying rules of ACL 2000, click Add. b. Select Permit. c. Click Apply. Figure 20 Configuring an IPv4 basic ACL rule to allow other hosts to access Firewall 6. Associate HTTP service with IPv4 basic ACL 2000: a. Select Device Management > Service Management from the navigation tree. b.
-
Figure 21 Associating HTTP service with ACL 2000 Configuring the ACL at the CLI 21B Configuration task list 18B Task Remarks Configuring a basic ACL Required. Configuring an advanced ACL Configure at least one task. 563H 564H Configuring a basic ACL is applicable to IPv4 and IPv6. Configuring an Ethernet frame header ACL 56H Configuring an Ethernet frame header ACL is applicable to IPv4. Optional. Copying an ACL Applicable to IPv4 and IPv6.
-
Step Command Remarks Create an IPv4 basic ACL and enter its view. acl number acl-number [ name acl-name ] [ match-order { auto | config } ] Configure a description for the IPv4 basic ACL. description text Set the rule numbering step. step step-value 5. Create or edit a rule. rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { source-address source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] * 6. Add or edit a rule comment.
-
Step Command Remarks 5. Create or edit a rule. rule [ rule-id ] { deny | permit } [ counting | fragment | logging | routing [ type routing-type ] | source { source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name | vpn-instance vpn-instance-name ] * 6. Add or edit a rule comment. rule rule-id comment text Add or edit a rule range remark. rule [ rule-id ] remark text 7. By default, an IPv6 basic ACL does not contain any rule.
-
Step Command Remarks 5. Create or edit a rule.
-
Step Command Remarks Optional. Set the rule numbering step. step step-value 5. Create or edit a rule.
-
Step Command Remarks By default, an Ethernet frame header ACL does not contain any rule. 5. Create or edit a rule. rule [ rule-id ] { deny | permit } [ cos vlan-pri | counting | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] * 6. Add or edit a rule comment. rule rule-id comment text Add or edit a rule range remark. rule [ rule-id ] remark text 7. Optional.
-
Hardware ACL acceleration compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A No U200-S No CAUTION: • ACL acceleration is not available for ACLs that contain a non-contiguous wildcard mask. • After you modify an ACL with ACL acceleration enabled, disable and re-enable ACL acceleration to ensure correct rule matching. ACL acceleration speeds up ACL lookup. The acceleration effect increases with the number of ACL rules. ACL acceleration uses memory.
-
Task Command Remarks Available in any view. Support for this command varies by device model. For more information, see Access Control Command Reference. Display ACL acceleration information of the specified or all ACLs (including IPv4 basic ACLs and IPv4 advanced ACLs) display acl accelerate { acl-number | all } [ | { begin | exclude | include } regular-expression ] Display configuration and match statistics for IPv6 basic and IPv6 advanced ACLs.
-
Configuration procedure 27B # Create a periodic time range from 8:00 to 18:00 on working days. system-view [Firewall] time-range work 8:0 to 18:0 working-day # Create an IPv6 advanced ACL numbered 3000 and configure three rules in the ACL. One rule permits access from the President's office to the database server, one rule permits access from the Financial department to the database server during working hours, and one rule denies access from other departments to the database server.
-
Destination net unreachable. Ping statistics for 1000::100: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows the database server cannot be pinged. # Display configuration and match statistics for IPv6 advanced ACL 3000 on Device A during working hours.
-
Configuring security zones 2B Overview 23B In traditional firewall security policy applications, a firewall connects an internal network and an external network and firewall security policies are deployed on inbound and outbound interfaces. With the development of firewall technologies, a firewall is now connecting the DMZ as well as the internal network and external network, and tends to provide more interfaces (for example, over ten physical interfaces) to connect more network segments.
-
Figure 23 Network diagram When the source zone is not any, the destination zone cannot be any either. The source zone can be any, but configuring the source zone as any might cause the device unconfigurable. To avoid this problem, the system defines the rule that the Management zone does not belong to the any zone. Configuring the security zone in the Web interface 24B Recommended configuration procedure 128B Step Remarks Optional. Creating a security zone 1.
-
Figure 24 Security zone management page 2. Click Add. Figure 25 Creating a security zone 3. Configure the security zone as described in Table 9. 4. Click Apply. 570H Table 9 Configuration items Item Zone ID Description Specify the zone ID. The value range depends on the device model. For more information, see Table 10. 571H Zone Name Specify the zone name, which cannot be any. Set the preference of the security zone.
-
Hardware Value range F1000-E 1 to 1024 F5000 1 to 1024 Firewall module 1 to 1024 U200-A 1 to 256 U200-S 1 to 32 Adding members to the security zone 130B 1. Select Device Management > Zone from the navigation tree to enter the security zone management page (see Figure 24). 572H 2. Click the icon for the security zone.
-
Figure 26 Modifying a security zone 3. Modify the zone as described in Table 11. 4. Click Apply. 573H Table 11 Configuration items Item Description Zone ID Display the zone ID. Zone Name Display the zone name. Set the preference of the specified security zone. Preference By default, packets from a high priority security zone to a low priority security zone are allowed to pass. Share Set whether the specified security zone can be referenced by other VDs.
-
Item Description Set the interfaces to be added to the security zone. Interface Interface VLAN The interfaces that have been added to a security zone are in the selected status, and the interfaces that can be added but have not been added to a security zone are in the non-selected status. If the interfaces added to the security zone are Layer 2 Ethernet interfaces, you must specify the range of the VLANs to be added to the security zone.
-
a. Select Device Management > Zone from the navigation tree to enter the security zone management page. b. Click the c. icon for security zone Trust. Select interface GigabitEthernet0/3. d. Click Apply. e. Click Back to return to the security zone management page. Figure 28 Configuring the Trust zone 2. Add interface GigabitEthernet 0/1 to security zone DMZ: a. Click the icon for security zone DMZ. b. Select interface GigabitEthernet0/1. c. Click Apply. d.
-
Figure 29 Configuring the DMZ zone 3. Add interface GigabitEthernet 0/2 to security zone Untrust: a. Click the icon for security zone Untrust. b. Select interface GigabitEthernet0/2. c. Click Apply. d. Click Back to return to the security zone management page.
-
Figure 30 Configuring the Untrust zone Configuring the security zone at the CLI 25B Security zone configuration task list 132B Task Remarks Creating a security zone Optional Setting the priority of a security zone Optional Enabling the share attribute of a security zone Optional Adding interfaces to a security zone Required Creating an interzone instance Optional 57H 576H 57H 578H 579H 37
-
Configuring a security zone 13B To configure a security zone for a VD, create the VD first. For more information about VD, see System Management and Maintenance Configuration Guide. Creating a security zone 134B When creating a security zone, you must specify a security zone name and a security zone ID that are respectively unique on the device. To enter the view of an existing security zone, you can specify the security zone name, or specify both the security zone name and security zone ID.
-
Enabling the share attribute of a security zone 136B A security zone with its share attribute enabled can be used by other VDs' interzone instances as the destination security zone. A security zone with its share attribute disabled can only be used by an interzone instance of its native VD. To enable the share attribute of a security zone: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VD system view. switchto vd vd-name Required for a security zone of a non-default VD. 3.
-
source zone to the destination zone will be checked and processed according to the security policy. For more information about ASPF policies, interzone policies, and session logging, see Attack Protection Configuration Guide and Access Control Configuration Guide. The destination zone for an interzone instance must belong to the same VD as the source zone, or have its share attribute enabled.
-
To achieve the goal, configure the firewall as follows: • Add the interface connected to the internal network (GigabitEthernet 0/0) to security zone Trust. • Add the interface connected to the Internet (GigabitEthernet 0/2) to security zone Untrust. • Deploy the servers in security zone DMZ, and add the interface connected to the servers (GigabitEthernet 0/1) to security zone DMZ. • Create interzone instances and enable ASPF for the instances.
-
Managing services 3B This chapter describes how to manage the following services in the Web interface: • FTP service—Transfers files between server and client over a TCP/IP network. • Telnet service—Provides remote login and virtual terminal functions. • SSH service—Offers an approach to securely logging in to a remote device. By encryption and strong authentication, it protects devices against attacks such as IP spoofing and plain text password interception.
-
Table 12 Configuration items Item Description Enable FTP service. FTP ACL. Enable or disable the FTP service. The FTP service is disabled by default. Associate the FTP service with an ACL. Only the clients that pass the ACL filtering are permitted to use the FTP service. You can view this configuration item by clicking the expanding button in front of FTP. Telnet Enable Telnet service. Enable or disable the Telnet service. SSH Enable SSH service. Enable or disable the SSH service.
-
Item Description Associate the HTTPS service with an ACL. Only the clients that pass the ACL filtering are permitted to use the HTTPS service. ACL. You can view this configuration item by clicking the expanding button in front of HTTPS. Service management configuration examples 27B HTTP configuration example 28B Network requirements 281B As shown in Figure 33, Host A can always access the firewall through HTTP, but other hosts can access the firewall through HTTP only on working days.
-
Figure 34 Creating a time range Creating a basic ACL 283B 1. Select Firewall > ACL from the navigation tree. 2. Click Add. The page for adding ACL appears. 3. Create ACL 2000 as shown in Figure 35. 4. Select the match order Config. 5. Click Apply. 584H Figure 35 Creating an ACL Creating an ACL rule to allow Host A to access Firewall all the time 284B 1. Click the 2000. 2. Click Add.
-
b. Select the Source IP Address box. c. Enter 192.168.1.2 in the Source IP Address field. d. Enter 0.0.0.0 in the Source Wildcard field. 4. Click Apply. Figure 36 Configuring a rule to allow Host A to access Firewall all the time Creating a rule to disable other hosts from accessing Firewall on Saturday and Sunday 285B 1. Click Add on the page which displays the rules of ACL 2000. 2. Create an ACL rule as shown in Figure 37. 586H a. Select Deny as the operation. b. Select time as the time range.
-
Figure 38 Configuring an ACL rule to allow other hosts to access Firewall NOTE: The three ACL rules must be configured in the shown order. Associating HTTP service with ACL 2000 287B 1. Select Device Management > Service Management from the navigation tree. 2. Associate HTTP service with ACL 2000 as shown in Figure 39. 587H a. Click the expansion triangle sign before HTTP to expand the configuration area. b. Enter 2000 in the ACL field. 3. Click Apply.
-
To meet the requirements, configure the firewall as an HTTPS server and apply for a certificate for the firewall. The name of the certificate authority (CA) that issues certificates to the firewall and the host is CA server. This example uses a Windows server as the CA that has the Simple Certificate Enrollment Protocol (SCEP) component installed. Before proceeding with the following configuration, make sure that the firewall, the host, and CA can reach each other.
-
Creating a PKI domain 290B 1. Select VPN > Certificate Management > Domain from the navigation tree. 2. Click Add. The page for adding a PKI domain appears. 3. Add PKI domain as shown in Figure 42. 590H a. Enter 1 as the PKI domain name. b. Enter CA server as the CA identifier. c. Select en as the local entity. d. Select RA as the authority for certificate request. e. Enter http://10.1.2.2/certsrv/mscep/mscep.dll as the URL for certificate request. 4. Click Apply. 5.
-
Figure 43 Generating an RSA key pair Retrieving the CA certificate 29B 1. Select VPN > Certificate Management > Certificate from the navigation tree. 2. Click Retrieve Cert. The page for retrieving a certificate appears. 3. Retrieve the CA certificate as shown in Figure 44. 591H a. Select 1 as the PKI domain name. b. Select CA as the certificate type. 4. Click Apply. Figure 44 Retrieving a certificate Requesting a local certificate 293B 1.
-
When the certificate request succeeds, the local certificate information about the PKI domain 1 is displayed in the certificate list. Enabling HTTPS service and associating HTTPS service with PKI domain 1 294B 1. Select Device Management > Service Management from the navigation tree. The service management configuration page appears. Figure 46 Enabling HTTPS service 2. Select the Enable HTTPS service box. 3. Select CN=http-server1 from the certificate list. 4. Click Apply.
-
Configuring address resources 4B Address resource overview 30B In the Web interface, address resources are classified into the following categories: IP address resource, IP address group resource, MAC address resource, and MAC address group resource. They can be referenced by interzone policies to define packet match criteria. Matching packets are permitted or denied based on the interzone policy configuration. For more information, see "Configuring an interzone policy.
-
Figure 48 Host address resource configuration page 3. Configure the host address resource as described in Table 13. 4. Click Apply. 592H Table 13 Configuration items Item IP Address Host name Description Select either of them as the address resource type. Specify the name for the host address resource. Name IMPORTANT: All resources (excluding the time range resources) must have unique names. Description Describe the host address resource in brief.
-
2. Click the Range tab. The address range resource list page appears. Figure 49 Address range resource list 3. Click Add. The page for configuring address range resource appears. Figure 50 Address range resource configuration page 4. Configure the address range resource as described in Table 14. 5. Click Apply. 593H Table 14 Configuration items Item Description Specify the name for the address range resource.
-
Item Description Specify the IP addresses to be excluded: • Enter an IP address in the field next to the Add button, and then click Add to add it to the excluded IP address list. Exclude IP Address • Select one or more IP addresses in the excluded IP address list, and then click Remove to remove them from the list. Configuring a subnet address resource 298B 1. Select Resource > Address > IP Address from the navigation tree. 2. Click the Subnet tab. The subnet address resource list page appears.
-
4. Configure the subnet address resource as described in Table 15. 5. Click Apply. 594H Table 15 Configuration items Item Description Specify the name for the subnet address resource. Name IMPORTANT: All resources (excluding the time range resources) must have unique names. Description Describe the subnet address resource in brief. IP/Wildcard Specify an IP address and a wildcard to define an address range.
-
Figure 54 IP address group resource configuration page 3. Configure the IP address group resource as described in Table 16. 4. Click Apply. 59H Table 16 Configuration items Item Description Specify the name for the address group resource. Name IMPORTANT: All resources (excluding the time range resources) must have unique names. Description Describe the address group resource in brief.
-
Figure 55 MAC address resource list 2. Click Add. The page for configuring MAC address resource appears. Figure 56 MAC address resource configuration page 3. Configure the MAC address resource as described in Table 17. 4. Click Apply. 596H Table 17 Configuration items Item Description Specify the name for the MAC address resource. Name IMPORTANT: All resources (excluding the time range resources) must have unique names. Description Describe the MAC address resource in brief.
-
2. Click the MAC Address Group tab. The MAC address group list page appears. Figure 57 MAC address group list 3. Click Add. The page for configuring the MAC address group appears. Figure 58 MAC address group configuration page 4. Configure the MAC address group as described in Table 18. 5. Click Apply. 597H Table 18 Configuration items Item Description Specify the name for the MAC address group resource. Name IMPORTANT: All resources (excluding the time range resources) must have unique names.
-
Exporting and importing configuration 143B Perform this task to export and import the configurations of address resources, service resources (excluding default service resources), and interzone policies to and from specified files. On any address resource list page, you can export address resources and service resources but not interzone policies, and you can import all such configurations. For more information, see "Configuring service resources." Exporting configuration 29B 1.
-
Configuring address resources at the CLI 32B At the CLI, address resources are called "address objects" falling into the following categories: • IP address object—An IP address object comprises one host name or one or more IP addresses. Only IPv4 addresses are supported. • IP address group object—An IP address group object comprises IP address objects, IP address group objects, or both. • MAC address object—A MAC address object comprises one or more MAC addresses.
-
Step Command Remarks By default, no host address object is configured. Create a host address object and enter host address object view. object network host name 4. Configure a description for the object. description description-string By default, no description is configured for an object. • Add a host IP address to the object: 5. Add a host IP address or host name to the object. Use either command to add one type to the object.
-
Step 2. Enter VD system view. 3. Create a subnet address object and enter subnet address object view. Command Remarks switchto vd vd-name Required only when you are first logged in to the system view of the default VD and want to configure an object for a non-default VD. By default, no subnet address object is configured. object network subnet name If the object already exists, you enter its view. Optional. 4. Configure a description for the object.
-
Step Command Remarks Required only when you are first logged in to the system view of the default VD and want to configure an object for a non-default VD. 2. Enter VD system view. switchto vd vd-name 3. Create a MAC address object and enter MAC address object view. object mac name Configure a description for the object. description description-string 4. 5. Add a MAC address to the object. By default, no MAC address object is configured. If the object already exists, you enter its view.
-
Task Command Remarks Display MAC address objects. display object mac [ vd vd-name ] Available in any view. Display a specific object. display object name object-name [ vd vd-name ] Available in any view. Display IP address group objects. display object-group network [ vd vd-name ] Available in any view. Display MAC address group objects. display object-group mac [ vd vd-name ] Available in any view. Display a specific group object.
-
Configuring service resources 5B Overview 3B A service resource defines a service by specifying the protocol to be carried by IP and the protocol-specific items. It may be referenced by interzone policy as a packet match criterion. An interzone policy determines whether to allow a packet to pass through. For more information about interzone policies, see Security Configuration Guide. Service resources fall into three categories: • Default service resources—Created by the device during initialization.
-
Configuring a customized service resource 150B 1. From the navigation tree, select Resource > Service > Customized Service. All existing customized service resources are displayed, as shown in Figure 62. 59H Figure 62 Customized service resource list 2. Click Add. The customized service resource configuration page appears. Figure 63 Customized service resource configuration page 3. Configure the parameters, as described in Table 19. 4. Click Apply.
-
Item Description Source Port TCP • To define a port range, type two different port numbers. Make sure the second port number is greater than the first one. Set the source and destination UDP port ranges in the fields. These fields are available after you select UDP. • To define a single port, type the same port numbers in the two fields in a row. Destination Port Type ICMP • To define a single port, type the same port numbers in the two fields in a row.
-
Configuring a service group resource 15B 1. From the navigation tree, select Resource > Service > Service Group. All existing service group resources are displayed, as shown in Figure 64. 602H Figure 64 Service group resource list 2. Click Add. The service group resource configuration page appears. Figure 65 Service group resource configuration page 3. Configure the parameters, as described in Table 21. 4. Click Apply.
-
Item Description Add or remove service resources: • Select one or more service resources from the Available Group Members list and then click << to add them to the Group Members list. Group Members • Select one or more service resource from the Group Members list and then click >> to remove them from the Group Members list. The Available Group Members list contains all default and customized service resources that have been configured.
-
Figure 67 Importing the configurations Configuring the service resource at the CLI 35B Service resource is also referred to as service objects at the CLI: • Service object—A service object comprises a single protocol. • Service group object—A service group object comprises service objects, service group objects, or both. In addition to service object and service group object, there are also IP object, IP address group object, MAC address object, and MAC address group object at the CLI.
-
Step 5. Add a protocol to the object. Command Remarks service { protocol | icmp icmp-type icmp-code | { tcp | udp } [ source-port source-port-start [ source-port-end ] ] [ destination-port destination-port-start [ destination-port-end ] ] } By default, a user-defined service object comprises no protocol. A service object can comprise only one protocol. If you execute this command multiple times, the most recent configuration takes effect.
-
Configuring a time range resource 6B Overview 36B A time range resource defines a time range, which can be referenced by an ACL or an interzone policy to control when a rule is effective. The following basic types of time range are available: • Periodic time range—Recurs periodically on a day or days of the week. • Absolute time range—Represents only a period of time and does not recur.
-
Figure 69 Time range resource configuration page 3. Configure the time range resource as described in Table 22. 4. Click Apply. 60H Table 22 Configuration items Item Description Name Enter the name for the time range resource. If a time range resource with the specified name already exists, you can add time ranges to the time range resource. Otherwise, you can add a new time range resource. Periodic Time Range Start Time.
-
Step Command Remarks By default, no time range exists. 2. Configure a time range. time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 } 3. Display the configuration and status of one or all time ranges.
-
Configuring an interzone policy 7B Feature and hardware compatibility 40B Hardware IPv6 Interzone policy compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Overview 41B An interzone policy is a set of policy rules or IPv4 advanced ACLs to implement security control over packets between a source and a destination security zone. These two zones define an interzone instance.
-
When an interzone policy references multiple ACLs, packets of the interzone instance are matched against the ACLs in the order that the ACLs are displayed. • In the Web interface, the ACL first displayed is first matched. Generally, ACLs are displayed in the order they are configured, and the first configured ACLs are displayed first. • At the CLI, ACLs are matched in the order that they are displayed in the output of the display this command in interzone instance view.
-
Creating an interzone policy rule 308B 1. From the navigation tree, select Firewall > Security Policy > Interzone Policy to enter the interzone policy rule list page.
-
NOTE: The "Match Counter" field refers to the number of times that the interzone policy rule has been matched. Click Clear match counter to clear the match counters of all interzone policy rules and interzone policy groups. 2. Click Add to enter the interzone policy rule (that is the ACL rule) configuration page. Figure 71 Interzone policy rule configuration page 3. Configure an interzone policy rule as described in Table 24. 4. Click Apply.
-
Item Description Configure a source address resource for the rule by creating an address resource or referencing an existing address resource. • If you select the New IP Address option, specify an IP address and wildcard. After Source IP Address you apply the configuration, the system automatically creates a subnet address resource. For example, if you enter 1.1.1.1/0.0.0.255, a subnet address resource is created with the resource name being 1.1.1.1/0.0.0.255.
-
Item Description Set the source and destination MAC addresses. Source MAC Address Destination MAC Address • Enter a new MAC address in the field. The new MAC address will be a MAC address resource after you apply your configuration and the MAC address name is the MAC address. • You can also select from the MAC address (group) resource list or click Multiple to select more MAC addresses (groups).
-
Changing the priority of a rule 31B 1. Select Firewall > Security Policy > Interzone Policy from the navigation tree to enter the interzone policy rule list page. 2. Click the icon for a rule to bring up the dialog box as shown in Figure 72. 617H Figure 72 Modifying the priority of a rule 3. Enter the ID of the target rule in the field and click Apply to place the rule before the target rule. { If you enter 65535, the rule is placed at the end of all the rules.
-
{ { 2. Create security zones to which you will apply an interzone policy (see "Configuring security zones"). Configure IPv4 advanced ACLs (see "Configuring ACLs"). Configuration procedure To configure an interzone policy group: { Select Firewall > Security Policy > Interzone Policy Group from the navigation tree to enter the interzone policy group list page.
-
Figure 75 Interzone policy group configuration page { Configure the interzone policy group as described in Table 26. { Click Apply. 618H Table 26 Configuration items Item Source Zone Description Select a source zone for the interzone policy group. Any means all zones on the virtual device. Select a destination zone for the interzone policy group. Dest Zone Any means all zones on the virtual device. Virtual device name-Any means all shared zones on the virtual device with the specified name.
-
Before configuring an interzone policy group, complete the following tasks: { { • Create security zones to which you will apply an interzone policy (see "Configuring security zones"). Configure IPv6 basic or IPv6 advanced ACLs (see "Configuring ACLs"). Configuration procedure { Select Firewall > Security Policy > IPv6 Interzone Policy Group from the navigation tree to enter the interzone policy group list page.
-
Figure 77 Adding an IPv6 interzone policy group { Configure the interzone policy group as described in Table 28. { Click Apply. 619H Table 28 Configuration items Item Source Zone Description Select a source zone for the interzone policy group. Any means all zones on the virtual device. Select a destination zone for the interzone policy group. Dest Zone Any means all zones on the virtual device. Virtual device name-Any means all shared zones on the virtual device with the specified name.
-
Exporting and importing configurations 160B In the Web interface, you can import and export the configuration of interzone policies (including interzone policy rules and interzone policy groups), address resources, and service resources (excluding predefined service resources) through a file, facilitating the interzone policy configuration. For more information about service resources, see "Configuring service resources." For more information about address resources, see "Configuring address resources.
-
4. Only the files suffixed with .xml can be imported. 5. Click Apply to import all configurations in the file. Displaying packet statistics of an interzone policy 16B 1. Select Firewall > Security Policy > Policy Matching Statistics from the navigation tree. 2. Select the source and target zone, and then click Search. The page displays the results matching the search conditions. Table 29 describes the fields on the page.
-
Figure 81 Network diagram (Method 1) Configuring an interzone policy rule on the firewall 318B 1. Create a periodic time range from 8:00 to 18:00 on working days (from Monday through Friday): a. Select Resource > Time Range from the navigation tree. b. Click Add. c. Enter worktime in the Name field. Select the Periodic Time Range box. Set the start time to 8:00. Set the end time to 18:00. Select the Mon., Tues., Wed., Thurs., and Fri., boxes. d. Click Apply. Figure 82 Configuring a time range 2.
-
Figure 83 Configuring an IP address resource 3. Configure an access rule for host public to access the external network at any time: a. Select Firewall > Security Policy > Interzone Policy from the navigation tree. b. Click Add. c. Select Trust as the source zone and Untrust as the destination zone. d. Select public as the address. e. Select Permit as the filter action. f. Select the Enable the rule box. Select the Continue to add next rule box. g. Click Apply.
-
Figure 84 Allowing the host public to access the external network at any time 4. Configure an access rule to deny the access of all the other hosts to the external network during working time: After the last configuration step, you will enter the interzone policy rule configuration page, with the source and destination zone selected for the last rule. a. Select Deny as the filter action. b. Select worktime as the time range. c. Select the Status box. d. Click Apply.
-
Figure 85 Denying all the other hosts' access to the external network during working time (Method 2) Configuring an interzone policy group on the firewall 319B 1. Create a periodic time range from 8:00 to 18:00 on working days (from Monday through Friday): a. Select Resource > Time Range from the navigation tree. b. Click Add. c. Enter worktime in the Name field. Select the Periodic Time Range box. Set the start time to 8:00. Set the end time to 18:00. Select the Mon., Tues., Wed., Thurs., and Fri.
-
d. Click Apply. Figure 87 Configure ACL 3000 3. Configure a rule for ACL 3000, allowing host public to access the external network at any time: a. Click the icon for ACL 3000 to enter the page that lists the ACL rules. b. Click Add. c. Select Permit as the operation. Select the Source IP Address box, and enter 10.1.1.12 and 0.0.0.0 in the following fields. d. Click Apply. Figure 88 Allowing the host Public to access the external network at any time 4.
-
Figure 89 Denying all the other hosts' access to the external network during working time 5. Configure the interzone policy group: a. Select Firewall > Security Policy > Interzone Policy Group from the navigation tree to enter the interzone policy group list page. b. Click Add to enter the interzone policy group configuration page. c. Select Trust as the source zone. Select Untrust as the destination zone. d. Select 3000 under Available ACLs, and click << to add it to the selected ACL list. e.
-
Figure 90 Configuring the interzone policy group Configuring the interzone policy rules at the CLI 43B Interzone policy rule configuration task list 163B Task Remarks Creating an interzone policy rule Required. Referencing objects in an interzone policy rule Required. Enabling an interzone policy rule Required. Enabling interzone policy acceleration Optional. Moving an interzone policy rule Optional.
-
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VD system view. switchto vd vd-name Required for a VD. 3. Create an interzone instance and enter interzone instance view. interzone source souce-zone-name destination destination-zone-name By default, no interzone instance exists. Create an interzone policy rule and its view. 4. By default, no interzone policy rule exists in an interzone instance.
-
Step 4. Enter interzone policy rule view. 5. Reference a source IP object in the interzone policy rule. 6. 7. Reference a destination IP object in the interzone policy rule. Reference a service object in the interzone policy rule. Command Remarks rule [ rule-id ] { deny | permit } [ content-filter policy-template-name | logging | time-range time-range-name ] * N/A source-ip sour-ip-obj-name By default, no source IP object is referenced in an interzone policy rule.
-
Enabling interzone policy acceleration 324B The following matrix shows the feature and hardware compatibility: Hardware Interzone policy acceleration compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A No U200-S No Interzone policy acceleration speeds up policy lookup. The acceleration effect increases with the number of interzone policy rules.
-
Configuring the interzone policy group 164B Interzone policy group configuration task list 326B Task Remarks Creating the interzone policy group Required. Enabling the interzone policy group Required. Moving an ACL in the interzone policy group Optional. 629H 630H 631H Configuration prerequisites 327B Before configuring the interzone policy group, complete the following tasks: • Create a VD (see System Management and Maintenance Configuration Guide).
-
Step Command Remarks 2. Enter VD system view. switchto vd vd-name Required for a VD. 3. Enter interzone instance view. interzone source souce-zone-name destination destination-zone-name N/A 4. Move an ACL in the interzone policy. move rule acl [ ipv6 ] acl-number before insert-acl-number Optional. Displaying and maintaining interzone policies 165B Task Command Remarks Display interzone policy configuration.
-
Figure 91 Network diagram Configuration procedure 32B 1. Create a time range named work to cover 8:00 to 18:00 on working days. system-view [Firewall] time-range work 8:0 to 18:0 working-day 2. Configure security zones: # Create a security zone named president, and add interface GigabitEthernet 0/2 to the security zone.
-
[Firewall-object-network-president] quit # Create a subnet address object named finance, and add subnet IP address 192.168.2.0/24 to the object. [Firewall] object network subnet finance [Firewall-object-network-finance] subnet 192.168.2.0 0.0.0.255 [Firewall-object-network-finance] quit # Create a subnet address object named market, and add subnet IP address 192.168.3.0/24 to the object. [Firewall] object network subnet market [Firewall-object-network-market] subnet 192.168.3.0 0.0.0.
-
[Firewall-interzone-finance-database-rule-1] rule enable [Firewall-interzone-finance-database-rule-1] quit [Firewall-interzone-finance-database] quit # Create an interzone instance from source zone market to destination zone database, configure a rule to deny access from the marketing department to the financial database server through HTTP at any time, and enable the rule.
-
2. Create advanced IPv4 ACL 3000, and configure three rules in the ACL. One rule permits access from the president office to the financial database server, one rule permits access from the financial department to the database server during working hours, and one rule denies access from any other department to the database server at any time. [Firewall] acl number 3000 [Firewall-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.
-
# Ping the financial database server from a PC of the marketing department during working hours. C:\> ping 192.168.0.100 Pinging 192.168.0.100 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 192.168.0.100: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that the financial database server cannot be pinged.
-
Configuration procedure 169B 1. Log in to the Web interface, and then select Wizard from the navigation tree to enter the main page of the configuration wizard. 2. Click the Firewall Policy Configuration hyperlink to enter the first page of the firewall policy configuration wizard. Figure 93 Firewall policy configuration wizard: 1/7 3. Configure the items on the page as described in Table 31.
-
Figure 94 Firewall policy configuration wizard: 2/7 5. Configure the items on the page as described in Table 32. 63H Table 32 Configuration items Item Description Specify the action to be taken for packets matching the firewall policy: Filter Action Content Filtering Policy Template 6. • Permit—Allows matched packets to pass. • Deny—Drops matched packets. Specify the content filtering template to be applied to the packets that match the firewall policy.
-
Figure 95 Firewall policy configuration wizard: 3/7 7. Configure the items on the page as described in Table 33. 634H Table 33 Configuration items Item Description Source IP Address (Group) Specify the source address or source address group resource for the firewall policy. Destination IP Address (Group) Specify the destination address or destination address group resource for the firewall policy. 8. Click Next to enter the fourth page of the firewall policy configuration wizard.
-
Figure 96 Firewall policy configuration wizard: 4/7 9. Configure the item on the page as described in Table 34. 635H Table 34 Configuration item item Description Service (Group) Specify the service resource for the firewall policy. 10. Click Next to enter the fifth page of the firewall policy configuration wizard.
-
Figure 97 Firewall policy configuration wizard: 5/7 11. Configure the item on the page as described in Table 35. 63H Table 35 Configuration item Item Description Time Range Specify the time range resource for the firewall policy. 12. Click Next to enter the sixth page of the firewall policy configuration wizard.
-
Figure 98 Firewall policy configuration wizard: 6/7 13. Configure the item on the page as described in Table 36. 637H Table 36 Configuration item Item Description Enable Syslog Function Specify whether to keep a log of matched packets. 14. Click Next to enter the seventh page of the firewall policy configuration wizard.
-
Figure 99 Firewall policy configuration wizard: 7/7 15. Select whether to save the current configuration to the configuration files to be used at next startup (including a cfg file and xml file), check that the settings are what you want, and then select the destination page: { { { 16. Interzone policy page—Jumps to the page you can enter by selecting Firewall > Security Policy > Interzone Policy from the navigation tree.
-
Managing sessions 8B Overview 45B Session management is a common feature designed to implement session-based services such as NAT, ASPF, and intrusion protection. Session management regards packet exchanges at transport layer as sessions and updates the session status, or ages sessions out according to information in the initiator or responder packet. Session management allows multiple features to process the same service packet.
-
• Supports ICMP error packet mapping and allows the system to search for original sessions according to the payload of these packets. Because error packets are generated due to host errors, the mapping can help speed up the aging of the original sessions. • Supports persistent sessions, which are kept alive for a long period of time. Only TCP sessions in ESTABLISHED state can be specified as persistent sessions.
-
Figure 100 Session configuration 2. Configure the parameters as described in Table 37. 3. Click Apply.
-
Table 37 Configuration items Item Description Enable or disable unidirectional traffic detection. • When unidirectional traffic detection is enabled, the session management feature processes both the unidirectional and bidirectional traffic. • When unidirectional traffic detection is disabled, the session management feature processes only the bidirectional traffic.
-
Item Description MSN Session Aging Time Specify the MSN session aging time. QQ Session Aging Time Specify the QQ session aging time. SIP Session Aging Time Specify the SIP session aging time. Displaying session table information 173B 1. Select Firewall > Session Table > Session Summary from the navigation tree. The session table appears. Figure 101 Session table Table 38 Field description Field Description Init Src IP Source IP address and port number of packets from the session initiator.
-
Figure 102 Detailed information of a session Table 39 Field description Field Description Protocol Transport layer protocol, including TCP, UDP, ICMP, or RAWIP. Session status: State • • • • • • • • • • Accelerate. SYN. TCP-EST. FIN. UDP-OPEN. UDP-READY. ICMP-OPEN. ICMP-CLOSED. RAWIP-OPEN. RAWIP-READY. TTL Remaining lifetime of the session. Initiator: VD / ZONE / VPN / IP / PORT Initiator's virtual device/security zone/VPN instance/IP address/port number.
-
Figure 103 Global session statistics Table 40 Field description Field Description Current Session(s) Total number of sessions. Current TCP Session(s) Total number of current TCP half-open connections, TCP half-close connections, and full TCP connections in the system. Current TCP Half-Open Session(s) Number of current TCP half-open connections in the system. Current TCP Half-Close Session(s) Number of current TCP half-close connections in the system.
-
Field Description Received TCP Byte(s) Number of TCP bytes received. Received UDP Packet(s) Number of UDP packets received. Received UDP Byte(s) Number of UDP bytes received. Received ICMP Packet(s) Number of ICMP packets received. Received ICMP Byte(s) Number of ICMP bytes received. Received RAWIP Packet(s) Number of RAWIP packets received. Received RAWIP Byte(s) Number of RAWIP bytes received.
-
Displaying session statistics by the IP address or the security zone 176B You can display session statistics by the source IP address or destination IP address, or the source security zone or destination security zone. To do so, you must enable the proper session statistics first. Enabling session statistics 37B 1. Select Firewall > Session Table > Statistics from the navigation tree. 2. Click the Statistics Configuration tab. Figure 105 Session statistics configuration page 3.
-
Figure 106 Session statistics by the IP address Table 42 Field description Field Description Total Connection Count Total number of current connections. Total Connection Rate Sampled connection establishment rate in a 5-second interval. TCP Connection Count Total number of TCP half-open connections, TCP half-close connections, and full TCP connections. TCP Half-Open Connection Count Number of TCP half-open connections. TCP Half-Close Connection Count Number of TCP half-close connections.
-
Field Description ICMP Byte Count Number of ICMP bytes. RAWIP Packet Count Number of RAWIP packets. RAWIP Byte Count Number of RAWIP bytes. Displaying session statistics by the security zone 39B 1. Select Firewall > Session Table > Statistics from the navigation tree. 2. Click the Zone Statistics tab. 3. Select the desired security zone and direction. 4. Click Search. The matching session statistics are displayed.
-
Field Description UDP Connection Count Number of full UDP connections. UDP Connection Rate Sampled UDP connection establishment rate in a 5-second interval. ICMP Connection Count Number of full ICMP connections. ICMP Connection Rate Sampled ICMP connection establishment rate in a 5-second interval. RAWIP Connection Count Number of current RAWIP connections. RAWIP Connection Rate Sampled RAWIP connection establishment rate in a 5-second interval.
-
Setting session aging time for application layer protocols 341B For sessions in the READY (with UDP) or ESTABLISH (with TCP) state, you can set the session aging times according to the types of the application layer protocols to which the sessions belong. IMPORTANT: For a large amount of sessions (more than 800000), do not specify too short aging time. Otherwise, the console might be slow in response. To set session aging times based on application layer protocol type: Step Command Remarks 1.
-
Configuring the operating mode for session management 34B By default, session management operates in bidirectional mode to process only bidirectional sessions. You can change the operating mode to hybrid mode for processing both bidirectional sessions and unidirectional sessions. In a unidirectional session, packets in a specific direction can pass the device. If you configure the hybrid mode, some features cannot work properly and system security is adversely affected.
-
Configuring session logging 178B Session logs help track information about user access, IP address translation, and traffic, and can be sent to the log server or exported to the information center in flow log format. It can help network administrators in security auditing. Enabling session logging 347B Step Command Remarks 1. Enter system view. system-view N/A 2. Enter system view of the virtual device. switchto vd vd-name Required for non-default virtual devices. 3.
-
Step Command Remarks 1. Enter system view. system-view N/A 2. Specify the flow log version. userlog flow export version version-number Optional. 3. Specify the source IP address for UDP packets carrying flow logs. userlog flow export source-ip ip-address 4. Specify the IP address and UDP port number of the flow log server. userlog flow export [ vpn-instance vpn-instance-name ] host ip-address udp-port 5. Specify to export flow logs to the information center. 1.0 by default. Optional.
-
Task Command Remarks Clear sessions. reset session [ vd vd-name ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type { icmp | raw-ip | tcp | udp } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] Available in user view. Clear session statistics. reset session statistics [ vd vd-name ] Available in user view. Clear flow logs in the buffer. reset userlog flow logbuffer Available in user view.
-
Configuring virtual fragment reassembly 9B Overview 48B To prevent service modules (such as IPSec, NAT and firewall) from processing packet fragments that arrive out of order, you can enable the virtual fragment reassembly feature. This feature can virtually reassemble the fragments of a datagram through fragment checking, sequencing and caching so as to make sure fragments arrive at service modules in order.
-
Figure 108 Virtual fragment reassembly configuration page 2. Configure the parameters as described in Table 44. 3. Click Apply. 648H Table 44 Configuration items Item Description Specify a security zone to be configured with virtual fragment reassembly. Security Zone Enable Virtual Fragment Reassembly Specify max number of concurrent reassemblies The virtual fragment reassembly feature is effective in only the inbound direction of a security zone.
-
Virtual fragment reassembly configuration example 18B Network requirements 350B As shown in Figure 109, the host accesses the router through the firewall and NAT is enabled on interface GigabitEthernet 0/1 of the firewall. Enable virtual fragment reassembly for security zone Trust on the firewall to ensure secure and efficient NAT. 649H Figure 109 Network diagram Configuring the host 351B Configure a static route to the router. (Details not shown.) Configuring the firewall 352B 1.
-
c. Click Apply. Figure 111 Enabling static NAT on an interface 4. Configure virtual fragment reassembly: a. Select Firewall > Session Table > Advanced from the navigation tree. b. Select Trust for Security Zone. c. Select the Enable Virtual Fragment Reassembly box. d. Click Apply. Figure 112 Configuring virtual fragment reassembly After the configuration, if the firewall receives disordered fragments from security zone Trust, it examines and reassembles them.
-
Step Command Remarks Create a security zone and enter security zone view. zone name zone-name [ id zone-id ] N/A 4. Add an interface to the security zone. import interface interface-type interface-number [ vlan vlan-id ] By default, a security zone contains no interface. 5. Enter interface view. interface interface-type interface-number N/A 6. Enable IP virtual fragment reassembly.
-
With the IP virtual fragment reassembly feature, the firewall checks, sequences, and caches fragments that do not arrive in order at GigabitEthernet0/2. You can use the display ip virtual-reassembly command to view related information.
-
Configuring ASPF 10B Overview 51B Application specific packet filter (ASPF) applications are based on zone management and session management. Zone management is an independent common module. It does not concern service packet processing; it only maintains information relevant to zones and provides policy interfaces for other modules.
-
Figure 115 Adding an ASPF policy 4. Configure the parameters as described in Table 45. 5. Click Apply. 651H Table 45 Configuration items Item Description Source Zone Select a source/destination zone to which the ASPF policy will be applied. Dest Zone Discard ICMP error packets Discard non-SYN initial TCP packets Set whether to discard ICMP error packets. If this box is not selected, ICMP error packets are allowed to pass. Set whether to discard initial TCP packets that are not SYN packets.
-
Configuration procedure 356B 1. Configure zone 1 and zone 2, and specify security zones for the interfaces. (Details not shown) 2. Configure an ASPF policy. a. Select Firewall > Session Table > Advanced from the navigation tree. b. Click the ASPF tab. c. Click Add. d. Select zone 1 from the Source Zone list. e. Select zone 2 from the Dest Zone list. f. Click the Discard ICMP error packets box. g. Click Apply.
-
Configuring session acceleration 1B Session acceleration can be configured only in the Web interface. Feature and hardware compatibility 54B Hardware Session acceleration compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A No U200-S No Overview 5B In some specific applications, session acceleration helps improve system performance for setting up sessions.
-
• If session acceleration is enabled, the system cannot perform abnormity detection for non-SYN initial TCP packets. • If session acceleration is enabled, the statistics of half-open and half-close sessions are not correct, and SYN Flood attack detection cannot be performed according to half-open and half-close session threshold. • If session acceleration is enabled, the statistics of protected IP addresses by a bidirectional TCP proxy are not correct.
-
Configuring connection limits 12B Overview 58B If a client in an internal network initiates a large number of connections to the external network through the device, the system resources of the device might be used up, and other users cannot access the network resources normally. In addition, if an internal server receives a large number of connection requests from a client in a short time, the server might not be able to process them in time and cannot handle the connection requests from other clients.
-
Figure 120 Connection limit policies 3. Click Add to add a policy. 4. Configure the necessary parameters, and click 5. Repeat steps 3 and 4 to configure more policies as needed. 6. Click Apply to make your settings into effect to buffer your configuration. Table 46 Configuration items Item Description Source IP Specify the source IP address, mask, and VPN.
-
Configuring connection limit policies at the CLI 60B Connection limit configuration task list 186B Tasks Remarks • Creating a connection limit policy • Configuring the connection limit policy • Applying the connection limit policy Required. 653H Required. 654H Required. 65H Creating a connection limit policy 187B A connection limit policy is a set of connection limit rules that define the valid range and parameters for the policy. To create a connection limit policy: Step Command 1.
-
Step Command Configure an IP address-based connection limit rule. 3. limit limit-id { source ip { ip-address mask-length | any } [ source-vpn src-vpn-name ] | destination ip { ip-address mask-length | any } [ destination-vpn dst-vpn-name ] } * protocol { dns | http | ip | tcp | udp } max-connections max-num [ per-destination | per-source | per-source-destination ] Applying the connection limit policy 189B To make a connection limit policy take effect, apply it globally.
-
Figure 121 Network diagram Configuration procedure 358B The following describes only connection limit configuration. For more information about NAT configuration and internal server configuration, see NAT and ALG Configuration Guide. # Create a connection limit policy and enter its view. system-view [Firewall] connection-limit policy 0 # Configure connection limit rule 0 to limit connections from hosts on segment 192.168.0.
-
Troubleshooting connection limiting 192B Symptom 360B On the Firewall, create a connection limit policy and configure two rules for the policy. One limits connections from each host on segment 192.168.0.0/24 with the upper connection limit 10, and another limits connections from 192.168.0.100 with the upper connection limit 100. system-view [Firewall] connection-limit policy 0 [Firewall-connection-limit-policy-0] limit 0 source ip 192.168.0.
-
Configuring portal authentication 13B Portal authentication can be configured only at the CLI. Dialer interfaces, virtual-template interfaces, and tunnel interfaces do not support portal authentication. The term "router" in this document refers to both routers, routing-capable firewalls, and UTM devices.
-
Resource access restriction—Allows users passing identity authentication to access only network resources in the quarantined area, such as the anti-virus server and the patch server. Only users passing both identity authentication and security check can access restricted network resources. • Portal system components 194B A typical portal system comprises these basic components: authentication client, access device, portal server, authentication/accounting server, and security policy server.
-
Authentication/accounting server 36B An authentication/accounting server implements user authentication and accounting through interaction with the access device. Only a RADIUS server can serve as the remote authentication/accounting server in a portal system. Security policy server 367B A security policy server interacts with authentication clients and access devices for security check and resource authorization. The components of a portal system interact as follows: 1.
-
consists of only three components: authentication client, access device, and authentication/accounting server, as shown in Figure 123. 657H Figure 123 Portal system using the local portal server No security policy server is needed for local portal service, because the portal system using the local portal server does not support extended portal functions. The local portal server function of the access device implements only some simple portal server functions.
-
Before authentication, a user gets a private IP address through DHCP and can access only the portal server and predefined free websites. After passing authentication, the user is allocated a public IP address and can access the network resources. No public IP address is allocated to those who fail authentication. This solves the IP address planning and allocation problem.
-
Layer 3 portal authentication process 198B Direct authentication and cross-subnet authentication share the same authentication process. Re-DHCP authentication has a different process because of the presence of two address allocation procedures. Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication) 370B Figure 125 Direct authentication/cross-subnet authentication process The direct authentication/cross-subnet authentication process is as follows: 1.
-
Re-DHCP authentication process (with CHAP/PAP authentication) 371B Figure 126 Re-DHCP authentication process Authentication client Portal server Access device Authentication/ accounting server Security policy server 1) Initiate a connection 2) CHAP authentication 3) Authentication request 4) RADIUS authentication Timer 5) Authentication reply 6) Authentication succeeds 7) The user obtains a new IP address 8) Discover user IP change 9) Detect user IP change 10) Notify login success 11) IP change ack
-
Authentication process with the local portal server 372B Figure 127 Authentication process with the local portal server With the local portal server, the direct/cross-subnet authentication process is as follows: 1. A portal client initiates authentication by sending an HTTP request. When the HTTP packet arrives at an access device using the local portal server, it is redirected to the local portal server, which then pushes a Web authentication page for the user to enter the username and password.
-
2. The portal server sends a portal authentication request to the access device, and starts a timer to wait for the portal authentication reply. The portal authentication request contains several EAP-Message attributes, which are used to encapsulate the EAP packet sent from the authentication client and carry the certificate information of the client. 3. After the access device receives the portal authentication request, it constructs a RADIUS authentication request and sends it to the RADIUS server.
-
Task Remarks Configuring online Layer 3 portal user detection 675H Configuring portal detection functions Configuring the portal server detection function 674H 67H Optional. Configuring portal user information synchronization 67H Logging off portal users Optional. 678H Configuration prerequisites 64B Although the portal feature provides a solution for user identity authentication and security check, the portal feature cannot implement this solution by itself.
-
• For local portal server configuration, the keywords key, port, and url are usually not required and, if configured, do not take effect. • To make sure the device can send packets to the portal server in a VPN, specify the VPN instance to which the portal server belongs when specifying the portal server on the device. To specify a portal server for Layer 3 authentication: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify a portal server and configure related parameters.
-
The page elements refer to the files that the authentication pages reference, for example, back.jpg for page Logon.htm. Each main authentication page can reference multiple page elements. If you define only some of the main authentication pages, the system uses the default authentication pages for the undefined ones.
-
Password :
PAGE 168
... ...
-
Configuration prerequisites 381B To configure the local portal server to support HTTPS, complete the following configurations first: • Configure PKI policies, obtain the CA certificate, and apply for a local certificate. For more information, see VPN Configuration Guide. • Configure the SSL server policy, and specify the PKI domain to be used, which is configured in the above step. For more information, see Network Management Configuration Guide.
-
Layer 3 forwarding devices exist between the authentication client and the access device, you must select the cross-subnet portal authentication mode. In re-DHCP authentication mode, a client can use a public IP address to send packets before passing portal authentication. However, responses to the packets are restricted. • Configuration procedure 203B To enable Layer 3 portal authentication: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view.
-
Configuring an authentication source subnet 205B By configuring authentication source subnets, you specify that only HTTP packets from users on the authentication source subnets can trigger portal authentication. If an unauthenticated user is not on any authentication source subnet, the access device discards all the user's HTTP packets that do not match any portal-free rule. Configuration of authentication source subnets applies to only cross-subnet authentication.
-
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Specify an authentication domain for portal users on the interface. portal domain domain-name By default, no authentication domain is specified for portal users.
-
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the NAS-Port-ID value. portal nas-port-id nas-port-id-value By default, no NAS-Port-ID value is specified for an interface, and the device uses the information obtained from the physical interface where the portal user accesses as the NAS-Port-ID value in a RADIUS request.
-
To specify a source IP address for outgoing portal packets: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A Optional. 3. Specify a source IP address for outgoing portal packets. portal nas-ip ipv4-address By default, no source IP address is specified and the IP address of the user logon interface is used as the source IP address of outgoing portal packets.
-
With online portal user detection enabled on an interface, the device periodically sends probe packets (ARP requests) to the portal users on the interface to check whether the portal users are still online, to find portal users who get offline without logging off. • If the device receives a reply from a portal user before sending probe packets to the portal user for the maximum number of times, it considers that the portal user is online and keeps sending probe packets to the portal user.
-
2. Probe parameters { { 3. Probe interval—Interval at which probe attempts are made. Maximum number of probe attempts—Maximum number of consecutive probe attempts allowed. If the number of consecutive probes reaches this value, the access device considers that the portal server is unreachable.
-
device provides the portal user information synchronization function. This function is implemented by sending and detecting the portal synchronization packet. The process is as follows: 1. The portal server sends the online user information to the access device in a user synchronization packet at the user heartbeat interval, which is set on the portal server. 2. Upon receiving the user synchronization packet, the access device checks the user information carried in the packet with its own.
-
Displaying and maintaining portal 74B Task Command Remarks Display the ACLs on a specific interface. display portal acl { all | dynamic | static } interface interface-type interface-number [ | { begin | exclude | include } regular-expression ] Available in any view. Display portal connection statistics on a specific interface or all interfaces.
-
Configure the firewall to perform direct portal authentication for users on the host. Before a user passes portal authentication, the user can access only the portal server. After passing portal authentication, the user can access Internet resources. Use a RADIUS server as the authentication, authorization, and accounting server. Figure 129 Network diagram Portal server GE0/2 2.2.2.1/24 Host GE0/1 192.168.0.100/24 192.168.0.111/24 Firewall 2.2.2.2/24 Gateway : 2.2.2.1/24 RADIUS server 192.168.0.
-
[Firewall-isp-dm1] authentication portal radius-scheme rs1 [Firewall-isp-dm1] authorization portal radius-scheme rs1 [Firewall-isp-dm1] accounting portal radius-scheme rs1 [Firewall-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication and accounting methods of the default domain are used for the user. [Firewall] domain default enable dm1 3.
-
Configuring re-DHCP portal authentication 215B Network requirements 389B As shown in Figure 130, the host obtains an IP address from the DHCP server. 681H Configure the firewall to perform re-DHCP portal authentication for users on the host. Before a user passes portal authentication, the DHCP server assigns a private IP address to the host. After the user passes portal authentication, the DHCP server assigns a public IP address to the host and then the user can access Internet resources.
-
# Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended. [Firewall-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Firewall-radius-rs1] primary authentication 192.168.0.113 [Firewall-radius-rs1] primary accounting 192.168.0.
-
[Firewall–GigabitEthernet0/2] quit Configuring cross-subnet portal authentication 216B Network requirements 392B As shown in Figure 131, configure cross-subnet portal authentication on the firewall to authenticate users on the host. Before a user passes portal authentication, the user can access only the portal server. After the user passes portal authentication, the user can access Internet resources. 683H A RADIUS server serves as the authentication/accounting server.
-
[Firewall-radius-rs1] user-name-format without-domain [Firewall-radius-rs1] quit 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Firewall] domain dm1 # Configure AAA methods for the ISP domain. [Firewall-isp-dm1] authentication portal radius-scheme rs1 [Firewall-isp-dm1] authorization portal radius-scheme rs1 [Firewall-isp-dm1] accounting portal radius-scheme rs1 [Firewall-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users.
-
Figure 132 Network diagram Configuration prerequisites 396B • Configure IP addresses for the host, firewall, and servers as shown in Figure 132 and make sure they can reach each other before extended portal is enabled. • Configure the RADIUS server properly to provide authentication and accounting functions for users. 68H Configuration procedure 397B 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view.
-
# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at logon, the authentication and accounting methods of the default domain are used for the user. [Firewall] domain default enable dm1 3. Configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the ACL (ACL 3001) for Internet resources: [Firewall] acl number 3000 [Firewall-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.
-
Figure 133 Network diagram Configuration prerequisites and guidelines 39B • Configure IP addresses for the firewall and servers as shown in Figure 133 and make sure the host, firewall, and servers can reach each other. • Configure the RADIUS server properly to provide authentication and accounting functions for users. • For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10.0.0.0/24, in this example) on the DHCP server.
-
[Firewall-radius-rs1] user-name-format without-domain # Configure the IP address of the security policy server. [Firewall-radius-rs1] security-policy-server 192.168.0.114 [Firewall-radius-rs1] quit 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Firewall] domain dm1 # Configure AAA methods for the ISP domain.
-
# Enable portal authentication on the interface connecting the host. [Firewall–GigabitEthernet0/2] portal server newpt method redhcp [Firewall–GigabitEthernet0/2] quit Configuring cross-subnet portal authentication with extended functions 219B Network requirements 401B As shown in Figure 134, configure the firewall to perform extended cross-subnet portal authentication for users on the host. If a user fails security check after passing identity authentication, the user can access only subnet 192.168.0.
-
[Firewall-radius-rs1] primary accounting 192.168.0.112 [Firewall-radius-rs1] key authentication simple radius [Firewall-radius-rs1] key accounting simple radius [Firewall-radius-rs1] user-name-format without-domain # Configure the IP address of the security policy server. [Firewall-radius-rs1] security-policy-server 192.168.0.113 [Firewall-radius-rs1] quit 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view.
-
Configuring portal server detection and portal user information synchronization 20B Network requirements 40B As shown in Figure 135, a host is directly connected to a firewall (the access device) and must pass portal authentication before it can access the Internet. A RADIUS server serves as the authentication/accounting server. 691H Detailed requirements are as follows: • The host is assigned with a public network IP address either manually or through DHCP.
-
• Configure the portal server parameters as needed. For more information about portal server configuration, see the configuration manual provided with the portal server. Configuration procedure 407B 1. Configure a RADIUS scheme: # Create RADIUS scheme rs1 and enter its view. system-view [Firewall] radius scheme rs1 # Configure the server type for the RADIUS scheme. When using the IMC server, configure the RADIUS server type as extended.
-
device to send a server unreachable trap message and disable portal authentication to permit unauthenticated portal users if two consecutive probes fail. [Firewall] portal server newpt server-detect method portal-heartbeat action trap permit-all interval 40 retry 2 The product of interval and retry must be greater than or equal to the portal server heartbeat interval, and HP recommends configuring the interval to be greater than the portal server heartbeat interval configured on the portal server. 5.
-
Solution 41B • Use the display portal server command to display the key for the portal server on the access device and view the key for the access device on the portal server. • Use the portal server command to modify the key on the access device or modify the key for the access device on the portal server to make sure that the keys are consistent.
-
Configuring AAA 14B Overview 7B Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions: • Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants user rights and controls user access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device.
-
RADIUS 23B Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting. RADIUS was originally designed for dial-in user access.
-
Figure 138 Basic RADIUS message exchange process RADIUS operates in the following manner: 1. The host initiates a connection request that carries the user's username and password to the RADIUS client. 2. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the MD5 algorithm and the shared key. 3. The RADIUS server authenticates the username and password.
-
Figure 139 RADIUS packet format 0 7 Code 15 31 7 Length Identifier Authenticator Attributes Descriptions of the fields are as follows: The Code field (1 byte long) indicates the type of the RADIUS packet. • Table 48 Main values of the Code field Packet type Description 1 Access-Request From the client to the server. A packet of this type carries user information for the server to authenticate the user.
-
{ Type—(1 byte long) Type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. Table 49 shows a list of the attributes. For more information, see "Commonly used standard RADIUS attributes." 698H 69H { { Length—(1 byte long) Length of the attribute in bytes, including the Type, Length, and Value sub-fields. Value—(Up to 253 bytes) Value of the attribute.
-
No. Attribute No.
-
HWTACACS 24B HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWTACACS scenario, some terminal users need to log in to the NAS for operations.
-
Figure 141 Basic HWTACACS message exchange process for a Telnet user HWTACACS operates in the following manner: 1. A Telnet user sends an access request to the HWTACACS client. 2. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the HWTACACS server. 3. The HWTACACS server sends back an authentication response to request the username. 4. Upon receiving the response, the HWTACACS client asks the user for the username. 5. The user enters the username. 6.
-
9. The user enters the password. 10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. 11. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12. The HWTACACS client sends the user authorization request packet to the HWTACACS server. 13. The HWTACACS server sends back the authorization response, indicating that the user is now authorized. 14.
-
SSL VPN users—Users who access through SSL VPN.
-
AAA for VPNs 26B When clients in different VPNs are centrally authenticated, you can deploy AAA across VPNs to enable forwarding of RADIUS and HWTACACS packets across VPNs. With this feature, the MCE at the left side of the backbone serves as a NAS and transparently delivers the AAA packets of private users in VPN 1 and VPN 2 to the AAA servers in VPN 3 for centralized authentication, as shown in Figure 143. Authentication packets of private users in different VPNs do not affect each other.
-
No. Attribute Description 5 NAS-Port Physical port of the NAS that the user accesses. 6 Service-Type Type of service that the user has requested or type of service to be provided. 7 Framed-Protocol Encapsulation protocol for framed access. 8 Framed-IP-Address IP address assigned to the user. 11 Filter-ID Name of the filter list. 12 Framed-MTU MTU for the data link between the user and NAS. 14 Login-IP-Host IP address of the NAS interface that the user accesses.
-
No. Attribute Description 79 EAP-Message Used to encapsulate EAP packets to allow RADIUS to support EAP authentication. 80 Message-Authenticator Used for authentication and verification of authentication packets to prevent spoofing Access-Requests. This attribute is present when EAP authentication is used. 87 NAS-Port-Id String for describing the port of the NAS that is authenticating the user. HP proprietary RADIUS sub-attributes 423B No.
-
No. Sub-attribute Description 60 Ip_Host_Addr User IP address and MAC address carried in authentication and accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is required between the IP address and the MAC address. 61 User_Notify Information that must be sent from the server to the client transparently. User_HeartBeat Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string.
-
Figure 144 AAA configuration procedure Table 51 AAA configuration task list Task Remarks Perform one of the following tasks to configure an AAA scheme: • Configuring local users • Configuring RADIUS schemes • Configuring HWTACACS schemes Required. Complete at least one task. 70H 708H 709H Creating an ISP domain Required. Configuring ISP domain attributes Optional. Configuring authentication methods for an ISP domain Required.
-
Services that the user can use. Local authentication checks the service types of a local user. If none of the service types is available, the user cannot pass authentication. Service types include DVPN, FTP, portal, PPP, SSH, Telnet, terminal, and Web. • User state. Indicates whether or not a local user can request network services. There are two user states: active and blocked. A user in active state can request network services, but a user in blocked state cannot.
-
The following matrixes show the service types and hardware compatibility: Hardware DVPN service compatible F1000-A-EI/F1000-S-EI No F1000-E Yes F5000 Yes Firewall module Yes U200-A No U200-S No Hardware Portal service compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 No Firewall module Yes U200-A Yes U200-S Yes Local user configuration task list 42B Task Remarks Configuring local user attributes Required. Configuring user group attributes Optional.
-
Step Command Remarks 1. Enter system view. system-view N/A 2. Add a local user and enter local user view. local-user user-name [ vd vd-name ] By default, the local user named admin exists. Optional. 3. Configure a password for the local user.
-
Step Command Remarks Optional. By default, no authorization attribute is configured for a local user. 9. Configure authorization attributes for the local user. authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-role { guest | guest-manager | security-audit } | vlan vlan-id | work-directory directory-name } * For PPP users, only acl, callback-number, and idle-cut are supported. For portal users, only acl, idle-cut, and vlan are supported.
-
Step Command Remarks Optional. • Set the password aging time: password-control aging aging-time 3. Configure password control attributes for the user group.
-
RADIUS scheme configuration task list 428B Task Remarks Creating a RADIUS scheme Required. Specifying the RADIUS authentication/authorization servers Required. Specifying the RADIUS accounting servers and the relevant parameters Optional. Specifying the shared keys for secure RADIUS communication Optional. Specifying a VPN for the RADIUS scheme Optional. Setting the username format and traffic statistics units Optional. Setting the supported RADIUS server type Optional.
-
You can enable the server status detection feature. With the feature, the device periodically sends an authentication request to check whether or not the target RADIUS authentication/authorization server is reachable. If the server can be reached, the device sets the status of the server to active. If the server cannot be reached, the device sets the status of the server to block. This feature can promptly notify authentication modules of latest server status information.
-
To specify RADIUS accounting servers and set relevant parameters for a scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A Configure at least one command. • Specify the primary 3. RADIUS accounting server: primary accounting { ip-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] * Specify RADIUS accounting servers.
-
Step 2. Enter RADIUS scheme view. Command Remarks radius scheme radius-scheme-name N/A By default, no shared key is specified. 3. Specify a shared key for secure RADIUS authentication/authori zation or accounting communication. key { accounting | authentication } [ cipher | simple ] key The shared key configured on the device must be the same as that configured on the RADIUS server.
-
Do not apply the RADIUS scheme to more than one ISP domain if you have configured the user-name-format without-domain command for that RADIUS scheme. Otherwise, users in different ISP domains are considered the same user if they use the same username. For level switching authentication, user-name-format keep-original and user-name-format without-domain commands all produce the same results: they make sure that usernames sent to the RADIUS server carry no ISP domain name.
-
Step 3. Command Set the maximum number of RADIUS request transmission attempts. retry retry-times Remarks Optional. The default setting is 3. Setting the status of RADIUS servers 437B By setting the status of RADIUS servers to blocked or active, you can control the AAA servers with which the device communicates when the current servers are no longer available.
-
By default, the device sets the status of all RADIUS servers to active. In some cases, however, you may need to change the status of a server. For example, if a server fails, you can change the status of the server to blocked to avoid communication attempts to the server. To set the status of RADIUS servers in a RADIUS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view.
-
Step Specify a source IP address for outgoing RADIUS packets. 2. Command Remarks radius nas-ip { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] By default, the IP address of the outbound interface is used as the source IP address. Support for the ipv6 ipv6-address option depends on the device model. For more information, see Access Control Command Reference. To specify a source IP address for a specific RADIUS scheme: Step Command Remarks 1. Enter system view.
-
• When a number of secondary servers are configured, the client connections of access modules that have a short client connection timeout period may still be timed out during initial authentication or accounting, even if the packet transmission attempt limit and server response timeout period are configured with small values.
-
provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit. The NAS checks the validity of received control packets and accepts only control packets from known servers. To use a security policy server that is independent of the AAA servers, you must configure the IP address of the security policy server on the NAS.
-
The failure ratio is typically small. If a trap message is triggered because the failure ratio is higher than the threshold, troubleshoot the configuration on and the communication between the NAS and the RADIUS server. To enable the trap function for RADIUS: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the trap function for RADIUS. radius trap { accounting-server-down | authentication-error-threshold | authentication-server-down } Disabled by default.
-
HWTACACS configuration task list 46B Task Remarks Creating an HWTACACS scheme Required. Specifying the HWTACACS authentication servers Required. Specifying the HWTACACS authorization servers Optional. Specifying the HWTACACS accounting servers and the relevant parameters Optional. Specifying the shared keys for secure HWTACACS communication Required. Specifying a VPN for the HWTACACS scheme Optional. Setting the username format and traffic statistics units Optional.
-
Step Command Remarks • Specify the primary HWTACACS authentication server: 3. Specify HWTACACS authentication servers. primary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * • Specify a secondary HWTACACS authentication server: secondary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * Configure at least one command. No authentication server is specified by default.
-
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name N/A • Specify the primary HWTACACS 3. accounting server: primary accounting ip-address [ port-number | vpn-instance vpn-instance-name ] * Specify HWTACACS accounting servers. • Specify a secondary HWTACACS accounting server: secondary accounting ip-address [ port-number | vpn-instance vpn-instance-name ] * 4. 5.
-
Step Command 1. Enter system view. system-view 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name 3. Specify a VPN for the HWTACACS scheme. vpn-instance vpn-instance-name Setting the username format and traffic statistics units 453B A username is usually in the format userid@isp-name, where isp-name represents the user's ISP domain name.
-
You can specify the source IP address for outgoing HWTACACS packets in HWTACACS scheme view for a specific HWTACACS scheme, or in system view for all HWTACACS schemes whose servers are in a VPN or the public network. Before sending an HWTACACS packet, the NAS selects a source IP address in the following order: • The source IP address specified for the HWTACACS scheme. • The source IP address specified in system view for the VPN or public network, depending on where the HWTACACS server resides.
-
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name N/A 3. Set the HWTACACS server response timeout timer. timer response-timeout seconds 4. Set the quiet timer for the primary server. timer quiet minutes 5. Set the real-time accounting interval. timer realtime-accounting minutes Optional. The default HWTACACS server response timeout timer is 5 seconds. Optional.
-
On the device, each user belongs to an ISP domain. If a user provides no ISP domain name at login, the device considers the user belongs to the default ISP domain.
-
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter ISP domain view. domain isp-name N/A 3. Place the ISP domain to the active or blocked state. state { active | block } By default, an ISP domain is in active state, and users in the domain can request network services. 4. Specify the maximum number of online users in the ISP domain. access-limit enable max-user-number Optional. Configure the idle cut function. idle-cut enable minute [ flow ] Disabled by default.
-
• For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme to be referenced first. Local and none authentication methods do not require a scheme. • Determine the access type or service type to be configured. With AAA, you can configure an authentication method for each access type and service type to limit the authentication protocols that users can use for access. • Determine whether to configure the default authentication method for all access types or service types.
-
Step 7. 8. 9. Command Remarks Specify the authentication method for PPP users. authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } Optional. Specify the authentication method for SSL VPN users. authentication ssl-vpn radius-scheme radius-scheme-name Specify the authentication method for privilege level switching.
-
authorization information to users after successful authorization. Authorization method configuration is optional in AAA configuration. AAA supports the following authorization methods: • No authorization (none)—The NAS performs no authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the NAS, and other login users have Level 0 (visiting) access. Support for AUX logins depends on the device model.
-
Step Command Remarks 4. Specify the command authorization method. authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local | none ] | local | none } Optional. 5. Specify the authorization method for DVPN users. authorization dvpn { local | none | radius-scheme radius-scheme-name [ local ] } Optional. 6. Specify the authorization method for login users.
-
Hardware SSL VPN user authorization method compatible F1000-E Yes F5000 No Firewall module No U200-A Yes U200-S Yes Configuring accounting methods for an ISP domain 461B In AAA, accounting is a separate process at the same level as authentication and authorization. This process sends accounting start/update/end requests to the specified accounting server. Accounting is optional.
-
Step Command Remarks Optional. Disabled by default. With the accounting optional feature, a device allows users to use network resources when no accounting server is available or communication with all accounting servers fails. Enable the accounting optional feature. accounting optional 4. Specify the default accounting method for all types of users. accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } 5.
-
Hardware Portal user accounting method compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 No Firewall module Yes U200-A Yes U200-S Yes Hardware SSL VPN user accounting method compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 No Firewall module No U200-A Yes U200-S Yes Tearing down user connections 23B Step 1. 2. Command Remarks Enter system view. system-view N/A The command applies to portal and PPP user connections. Tear down AAA user connections.
-
Step 3. Configure a NAS ID-VLAN binding. Command Remarks nas-id nas-identifier bind vlan vlan-id By default, no NAS ID-VLAN binding exists. Displaying and maintaining AAA 235B Task Command Remarks Display the configuration of ISP domains. display domain [ isp-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about user connections.
-
Configuring the firewall 46B # Assign an IP address to interface GigabitEthernet 0/1, the Telnet user access interface. system-view [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ip address 192.168.1.70 255.255.255.0 [Firewall-GigabitEthernet0/1] quit # Configure the IP address of interface GigabitEthernet 0/2, through which the firewall communicates with the server. [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] ip address 10.1.1.2 255.255.255.
-
Local authentication/authorization for Telnet/FTP users 237B The configuration of local authentication and authorization for FTP users is similar to that for Telnet users. This example describes the configuration of Telnet users. Network requirements 46B As shown in Figure 146, configure the firewall to perform local authentication and authorization for Telnet users. 758H Figure 146 Network diagram Configuration procedure 467B 1.
-
Total 1 connection(s) matched. Level switching authentication for Telnet users by a RADIUS server 238B Network requirements 468B As shown in Figure 147, configure the firewall to: 759H • Use local authentication for the Telnet user and assign the privilege level of 0 to the user when the user passes authentication. • Use the RADIUS server for level switching authentication of the Telnet user. If the RADIUS server is not available, use local authentication.
-
[Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ip address 192.168.1.70 255.255.255.0 [Firewall-GigabitEthernet0/1] quit # Configure the IP address of GigabitEthernet 0/2, through which the firewall communicates with the server. [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] ip address 10.1.1.2 255.255.255.0 [Firewall-GigabitEthernet0/2] quit # Enable the firewall to provide Telnet service.
-
[Firewall] super password simple 654321 [Firewall] quit 2. Configure the RADIUS server. The RADIUS server in this example runs ACSv4.0. Add the usernames and passwords for user privilege level switching authentication.
-
Figure 149 List of the usernames for privilege level switching 3. Verify the configuration. After the configuration is complete, the user can Telnet to the firewall and use username test@bbb and password aabbcc to enter the user interface of the firewall, and access all level 0 commands. telnet 192.168.1.70 Trying 192.168.1.70 ... Press CTRL+K to abort Connected to 192.168.1.70 ...
-
Error: Invalid configuration or no response from the authentication server. Info: Change authentication mode to local. Password: Å Enter the password for local privilege level switching authentication. User privilege level is 3, and only those commands can be used whose level is equal or less than this.
-
Configuration prerequisites 472B Configure IP addresses for the devices as shown in Figure 150 and make sure that devices can reach each other. (Details not shown.) 761H Configuring the RADIUS server 473B For more information about RADIUS server configuration, see the configuration manual provided with the RADIUS server. Configuring the firewall 47B 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view.
-
Verifying the configuration 475B The user can initiate portal authentication by using the HP iNode client or by accessing a Web page. All the initiated Web requests will be redirected to the portal authentication page at http://10.1.1.1:8080/portal. Before passing portal authentication, the user can access only the authentication page. After passing portal authentication, the user can access the Internet. # After the user passes portal authentication, view the portal user information on the firewall.
-
Step Remarks Configuring authorization methods for the ISP domain 76H Configuring accounting methods for the ISP domain 768H Optional. Specify the authorization methods for various types of users. By default, all types of users use local authorization. Optional. Specify the accounting methods for various types of users. By default, all types of users use local accounting.
-
Figure 152 RADIUS scheme configuration page 3. Enter a name for the RADIUS scheme. 4. Configure the common parameters for the scheme, as described in Table 53. 769H Table 53 Configuration items Item Description Select the type of the RADIUS servers supported by the device, which can be: • Standard—Standard RADIUS server. The RADIUS client and RADIUS server Server Type communicate by using the standard RADIUS protocol and packet format defined in RFC 2865/2866 or later.
-
Figure 153 Common configuration area with advanced parameters displayed 6. Configure the advanced parameters, as described in Table 54. 70H Table 54 Configuration items Item Description Set the shared key for RADIUS authentication packets and that for RADIUS accounting packets. • • • • Authentication Key Confirm Authentication Key Accounting Key Confirm Accounting Key The RADIUS client and the RADIUS authentication/accounting server use MD5 to encrypt RADIUS packets.
-
Item Description Set the time the device keeps an unreachable RADIUS server in the blocked state. Quiet Time The device does not change the status of an unreachable RADIUS authentication or accounting server if the server quiet timer is 0. Instead, the device keeps the server status as active and sends authentication or accounting packets to another server in active state, so subsequent authentication or accounting packets can still be sent to that server.
-
Item Description Specify the VPN to which the RADIUS scheme belongs. VPN This setting is effective to all RADIUS authentication servers and accounting servers configured in the RADIUS scheme, but the VPN individually specified for a RADIUS authentication or accounting server takes priority. Security Policy Server Specify the IP address of the security policy server. Specify the source IP address for the device to use in RADIUS packets sent to the RADIUS server.
-
Item Description Accounting-On Attempts Set the maximum number of accounting-on packets transmission attempts. This field is configurable only when the Send accounting-on packets box is selected. • Attribute • Interpretation Enable or disable the device to interpret the RADIUS class attribute as CAR parameters. 7. In the RADIUS Server Configuration area, click Add. Figure 154 RADIUS server configuration page 8. Configure the RADIUS server parameters, as described in Table 55. 9. Click Apply.
-
• Accounting for FTP users is not supported. • If you remove the accounting server used for online users, the device cannot send real-time accounting requests and stop-accounting messages for the users to the server, and the stop-accounting messages are not buffered locally. • The status of RADIUS servers, blocked or active, determines which servers the device will communicate with or turn to when the current servers are not available.
-
Configuring HWTACACS schemes 24B Recommended configuration procedure 478B Step Remarks Creating the HWTACACS scheme 1. 73H Required. Create the HWTACACS scheme system. By default, no HWTACACS scheme exists. Required. Configuring HWTACACS authentication servers 2. Specify the primary and the secondary HWTACACS authentication servers for the HWTACACS scheme system. When the primary server is not available, the secondary server is used. If no redundancy is needed, specify only the primary server.
-
Configuring HWTACACS servers 480B 1. Select User > HWTACACS > Server Configuration from the navigation tree. Figure 156 HWTACACS server configuration 2. Configure the HWTACACS server as described in Table 57. 3. Click Apply. 79H Table 57 Configuration items Configuration item Description Server Type Select the type of the server to be configured, which can be Authentication Server, Authorization Server, or Accounting Sever. Enter the IP address of the primary server.
-
Configuring HWTACACS parameters 481B 1. Select User > HWTACACS > Parameter Configuration from the navigation tree. Figure 157 HWTACACS parameter configuration 2. Configure HWTACACS parameters, as described in Table 58. 3. Click Apply. 780H Table 58 Configuration items Configuration item Description Enter the source IP address of HWTACACS packets sent to the HWTACACS server.
-
Configuration item Description Enable or disable buffering stop-accounting requests without responses in the device. Stop-Accounting Buffer Stop-Accounting Packet Retransmission Times Because stop-accounting requests affect the charge to users, a NAS must make its best effort to send every stop-accounting request to the HWTACACS accounting servers.
-
Configuration item Description Specify the unit for data flows sent to the HWTACACS server for traffic accounting. The device periodically sends accounting updates to HWTACACS accounting servers to report the traffic statistics of online users. For accurate accounting, make sure that the units for data flows and packets on the device are consistent with those configured on the HWTACACS servers. Unit of Data Flows Options include: • • • • Byte. Kilo-byte. Mega-byte. Giga-byte.
-
Configuring an ISP domain 243B 1. Select User > AAA > Domain Setup from the navigation tree. The Domain Setup page appears. Figure 158 Domain Setup page 2. Create an ISP domain, as described in Table 60. 3. Click Apply. 783H Table 60 Configuration items Item Description Enter the ISP domain name. Domain Name You can enter a new domain name to create a domain, or select an existing domain to change its status (whether it is the default domain).
-
Figure 159 Authentication method configuration page 2. Select the ISP domain and specify authentication methods for the domain, as described in Table 61. 3. Click Apply. 784H Table 61 Configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods. Configure the default authentication method and secondary authentication method for all types of users.
-
Item Description Configure the authentication method and secondary authentication method for login users. Login AuthN Options include: • HWTACACS—HWTACACS authentication. You must specify the HWTACACS scheme to be used. Name Secondary Method • • • • Local—Local authentication. None—No authentication. This method trusts all users and is not for general use. RADIUS—RADIUS authentication. You must specify the RADIUS scheme to be used.
-
3. Click Apply. Table 62 Configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods. Configure the default authorization method and secondary authorization method for all types of users. If you do not specify any authorization method for a specific type of users, the default authorization method applies. Default AuthZ Options include: • HWTACACS—HWTACACS authorization. You must specify the HWTACACS scheme to be used.
-
Item Description Configure the authorization method for portal users. Options include: Portal AuthZ Name • Local—Performs local authorization. • None—This method trusts all users and assigns default rights to them. • RADIUS—Performs RADIUS authorization. You must specify the RADIUS scheme to be used. • Not Set—The device uses the settings in the Default AuthZ area for portal users. Configure the command authorization method. Options include: • HWTACACS—Performs HWTACACS authorization.
-
Item Description Specify whether to enable the accounting optional feature. Accounting Optional The feature enables a user who would otherwise be disconnected to use network resources even if there is no accounting server available or communication with the current accounting server fails. If accounting for the user fails, the device no longer sends real-time accounting updates for the user. Configure the default accounting method and secondary accounting method for all types of users.
-
Item Description Configure the accounting method for portal users. Options include: Portal Accounting Name • • • • Local—Local accounting. None—No accounting. RADIUS—RADIUS accounting. You must specify the RADIUS scheme to be used. Not Set—The device uses the settings in the Default Accounting area for portal users. Authentication/authorization for Telnet/SSH users by a RADIUS server 247B The configuration of RADIUS authentication and authorization for SSH users is similar to that for Telnet users.
-
c. To add a RADIUS scheme, enter system as the scheme name, select Extended as the server type, select With domain name for the username format. d. To add the primary authentication server, click Add in the RADIUS Server Configuration area, select Primary Authentication as the server type, enter 10.1.1.1 as the IP address, enter 1812 as the port, enter expert as the key, enter expert again to confirm the key, and click Apply. Figure 163 Adding a RADIUS authentication server e.
-
Figure 165 Adding a RADIUS scheme 3. Add an ISP domain: a. Select User > AAA > Domain Setup from the navigation tree. b. Enter bbb as the domain name. c. Click Apply.
-
Figure 166 Adding an ISP domain 4. Configure the authentication method for the ISP domain: a. Select User > AAA > Authentication from the navigation tree. b. Configure the authentication method for the ISP domain as follows: Select the ISP domain bbb from the list. Select the box next to Default AuthN and then select RADIUS from the list. Select system from the Name list. c. Click Apply. A configuration progress dialog box appears. d. Click Close when the configuration process is complete.
-
Select the ISP domain bbb from the list. Select the box next to Default AuthZ and then select RADIUS from the list. Select system from the Name list. c. Click Apply. A configuration progress dialog box appears. d. Click Close when the configuration process is complete. Figure 168 Configuring the authorization method for the ISP domain 6. Configure the accounting method for the ISP domain: a. Select User > AAA > Accounting from the navigation tree. b.
-
7. Enable the Telnet service on the firewall: a. Select Device Management > Service Management from the navigation tree. b. Select the box next to Enable Telnet service. c. Click Apply. Figure 170 Enabling the Telnet service 8. Configure the firewall to use AAA for Telnet users.
-
f. Enter the password abcd and confirm the password. g. Select the virtual device Root. h. Click Apply. Figure 172 Configuring a local user The following matrix shows the DVPN service and hardware compatibility: Hardware DVPN service compatible F1000-A-EI/F1000-S-EI No F1000-E Yes F5000 Yes Firewall module Yes U200-A No U200-S No 2. Configure ISP domain test: a. Select User > AAA > Domain Setup from the navigation tree. The domain configuration page appears. b.
-
Figure 173 Configuring ISP domain test 3. Configure the ISP domain to use local authentication: a. Select User > AAA > Authentication from the navigation tree. b. Select the ISP domain test, click the Login AuthN box, and select Local from the list. c. Click Apply. A configuration progress dialog box appears. d. After the configuration process is complete, click Close. Figure 174 Configuring the ISP domain to use local authentication 4. Configure the ISP domain to use local authorization: a.
-
Figure 175 Configuring the ISP domain to use local authorization 5. In the CLI, enable the Telnet service, and configure VTY interfaces 0 through 4 to use AAA for users. system-view [Firewall] telnet server enable [Firewall] user-interface vty 0 4 [Firewall-ui-vty0-4] authentication-mode scheme [Firewall-ui-vty0-4] quit Verifying the configuration 489B 1. Telnet to the firewall and enter the username telnet@test and password. You can enter the user interface of the firewall. 2.
-
Figure 177 Network diagram HWTACACS server 10.1.1.1/24 Internet Telnet user Firewall Configuring the HWTACACS server 491B Set the shared keys to expert, add a Telnet user account, and set the password for the user. (Details not shown.) Configuring the firewall 492B 1. Configure the IP address of each interface and add them to security zones. (Details not shown.) 2. Create the HWTACACS scheme system: a. From the navigation tree, select User > HWTACACS > Server Configuration. b.
-
Figure 179 Configuring an HWTACACS authentication server 4. Configure an HWTACACS authorization server: a. On the page as shown in Figure 179, select Authorization Server as the server type. 792H b. Enter 10.1.1.1 as the IP address of the primary server. c. Enter 49 as the TCP port of the primary server. d. Select Shared Key, enter expert as the shared key, and then confirm it. e. Click Apply. 5. Configure an HWTACACS accounting server: a.
-
7. Enable telnet services on the firewall: a. Select Device Management > Service Management from the navigation tree. b. Select the box next to Enable Telnet service. c. Click Apply. Figure 181 Enabling the Telnet service 8.
-
• The password entered by the user is incorrect. • The RADIUS server and the NAS are configured with different shared keys. Solution 496B Check that: • The NAS and the RADIUS server can ping each other. • The username is in the userid@isp-name format and the ISP domain is correctly configured on the NAS. • The user is configured on the RADIUS server. • The correct password is entered. • The same shared key is configured on both the RADIUS server and the NAS.
-
Troubleshooting HWTACACS 251B Similar to RADIUS troubleshooting. See "Troubleshooting RADIUS.
-
Configuring password control 15B Password control can be configured only at the CLI. Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes password control functions in detail. • Minimum password length By setting a minimum password length, you can enforce users to use passwords long enough for system security.
-
With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system checks the new password against the used ones. The new password must be different from the used ones by at least four characters and the four characters must not be the same. Otherwise, the user will fail to change the password and the system displays an error message.
-
When a user sets or changes the password, the system checks if the password satisfies the composition requirement. If not, the system displays an error message. Composition type-number must be 4 in FIPS mode. • Password complexity checking A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, you can configure a password complexity checking policy to make sure that all user passwords are relatively complicated.
-
{ For super passwords, the settings configured specifically for super passwords, if any, override those configured in system view. To configure password control: Task Remarks Enabling password control Required. Setting global password control parameters Optional. Setting user group password control parameters Optional. Setting local user password control parameters Optional. Setting super password control parameters Optional. Setting a local user password in interactive mode Optional.
-
To set global password control parameters: Step Command Remarks N/A 1. Enter system view. system-view 2. Set the password aging time. password-control aging aging-time 3. Set the minimum password update interval. password-control password update interval interval 4. Set the minimum password length. Optional. 90 days by default. Optional. 24 hours by default. Optional. password-control length length 10 characters by default. At least 8 characters. Optional. 5.
-
Setting user group password control parameters 84B Step Command Remarks 1. Enter system view. system-view N/A 2. Create a user group and enter user group view. user-group group-name N/A 3. Configure the password aging time for the user group. password-control aging aging-time Optional. By default, the password aging time of the user group equals the global password aging time. Optional. 4. Configure the minimum password length for the user group.
-
Setting super password control parameters 86B CLI commands fall into four levels: visit, monitor, system, and manage, in ascending order. Accordingly, login users fall into four levels, each corresponding to a command level. A user of a certain level can only use the commands at that level or lower levels. To switch from a lower user level to a higher one, a user needs to enter a password for authentication. This password is called a super password.
-
Task Command Remarks Available in any view. Display information about users in the password control blacklist. display password-control blacklist [ user-name name | ip ipv4-address | ipv6 ipv6-address ] [ | { begin | exclude | include } regular-expression ] Delete users from the password control blacklist. reset password-control blacklist [ user-name name ] Support for the ipv6 ipv6-address option depends on the device model. For more information, see Access Control Command Reference.
-
# Set the minimum password update interval to 36 hours. [Firewall] password-control password update interval 36 # Specify that a user can log in five times within 60 days after the password expires. [Firewall] password-control expired-user-login delay 60 times 5 # Set the maximum account idle time to 30 days. [Firewall] password-control login idle-time 30 # Refuse any password that contains the username or the reverse of the username.
-
Maximum failed login attempts: 2 times Login attempt-failed action: Lock Minimum password update time: 36 hours User account idle-time: 30 days Login with aged password: 5 times in 60 day(s) Password complexity: Enabled (username checking) Enabled (repeated characters checking) # Display the password control configuration for super passwords.
-
FIPS configuration 16B Feature and hardware compatibility 90B Hardware FIPS compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A No U200-S No Overview 91B Federal Information Processing Standards (FIPS), developed by the National Institute of Standard and Technology (NIST) of the United States, specify the security requirements for cryptographic modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4" from low to high.
-
Follow these steps to enable FIPS mode: To do… Use the command… Remarks Enter system view system-view — Enable FIPS mode fips mode enable Required Not enabled by default. Settings changed by enabling FIPS mode 254B After you enable FIPS mode and restart the device, the following changes occur. • The FTP/TFTP server is disabled. • The Telnet server is disabled. • The HTTP server is disabled. • SNMP v1 and SNMP v2c are disabled. Only SNMP v3 is available.
-
Table 64 List of power-up self-tests Type Operations Test the following algorithms Cryptographic algorithm self-tests • • • • • • • • • DSA (signature and authentication) RSA (signature and authentication) RSA (encryption and decryption) AES 3DES SHA1 SHA256 HMAC-SHA1 Random number generator algorithms Test the following algorithms used by cryptographic engines: Cryptographic engine self-tests • • • • • • • • DSA (signature and authentication) RSA (signature and authentication) RSA (encryption and d
-
To do… Use the command… Remarks Enter system view system-view — Trigger a self-test fips self-test Required Displaying and maintaining FIPS 94B To do… Use the command… Remarks Display FIPS state display fips status Available in any view 288
-
Support and other resources 17B Contacting HP 95B For worldwide technical support information, see the HP support website: http://www.hp.
-
Conventions 97B This section describes the conventions used in this documentation set. Command conventions 506B Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ...
-
Network topology icons 509B Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall product or a UTM device. Port numbering in examples 510B The port numbers in this document are for illustration only and might be unavailable on your device.
-
Index 0B ACDEFHLOPRSTU 270H 271H 27H 273H 274H 275H 276H 27H 278H 279H 280H 281H 28H Configuring virtual fragment reassembly at the CLI,133 A 832H Contacting HP,289 Address resource overview,52 83H Controlling access of portal users,162 801H 834H C Conventions,290 835H Configuration guidelines,28 D 802H Configuration guidelines,73 Displaying and maintaining FIPS,288 803H Configuration guidelines,139 836H Displaying and maintaining password control,281 804H Configuration pr
-
Overview,1 Setting local user password control parameters,280 Overview,147 Setting super password control parameters,281 P Setting user group password control parameters,280 861H 872H 862H 873H 874H Specifying a source IP address for outgoing portal packets,165 Password control configuration example,282 863H 875H Password control configuration task list,277 Specifying an autoredirection URL for authenticated portal users,166 864H Portal configuration examples,170 865H 876H Portal configur
